Commit Graph

137 Commits

Author SHA1 Message Date
Charles Herlin
6365f58b4c Renumbering 4.x checks
renamed:    4.1_restrict_core_dumps.sh -> 1.5.1_restrict_core_dumps.sh
	renamed:    4.2_enable_nx_support.sh -> 1.5.2_enable_nx_support.sh
	renamed:    4.3_enable_randomized_vm_placement.sh -> 1.5.3_enable_randomized_vm_placement.sh
	renamed:    4.4_disable_prelink.sh -> 1.5.4_disable_prelink.sh
	renamed:    ../../tests/hardening/4.4_disable_prelink.sh -> ../../tests/hardening/1.5.1_restrict_core_dumps.sh
	renamed:    ../../tests/hardening/4.3_enable_randomized_vm_placement.sh -> ../../tests/hardening/1.5.2_enable_nx_support.sh
	renamed:    ../../tests/hardening/4.2_enable_nx_support.sh -> ../../tests/hardening/1.5.3_enable_randomized_vm_placement.sh
	renamed:    ../../tests/hardening/4.1_restrict_core_dumps.sh -> ../../tests/hardening/1.5.4_disable_prelink.sh
2019-08-28 17:26:27 +02:00
Charles Herlin
fe25b1ba38 Renumbering of bootloader checks
renamed:    3.1_bootloader_ownership.sh -> 1.4.1_bootloader_ownership.sh
	renamed:    3.3_bootloader_password.sh -> 1.4.2_bootloader_password.sh
	renamed:    3.4_root_password.sh -> 1.4.3_root_password.sh
	deleted:    3.2_bootloader_permissions.sh
	renamed:    ../../tests/hardening/3.4_root_password.sh -> ../../tests/hardening/1.4.1_bootloader_ownership.sh
	renamed:    ../../tests/hardening/3.3_bootloader_password.sh -> ../../tests/hardening/1.4.2_bootloader_password.sh
	renamed:    ../../tests/hardening/3.1_bootloader_ownership.sh -> ../../tests/hardening/1.4.3_root_password.sh
2019-08-28 17:19:59 +02:00
Charles Herlin
0b85d16c16 First batch of renaming to comply to comply to 8v2 and 9 pdf
renamed:    2.19_disable_freevxfs.sh -> 1.1.1.1_disable_freevxfs.sh
	renamed:    2.20_disable_jffs2.sh -> 1.1.1.2_disable_jffs2.sh
	renamed:    2.21_disable_hfs.sh -> 1.1.1.3_disable_hfs.sh
	renamed:    2.22_disable_hfsplus.sh -> 1.1.1.4_disable_hfsplus.sh
	renamed:    2.24_disable_udf.sh -> 1.1.1.5_disable_udf.sh
	renamed:    2.7_var_log_partition.sh -> 1.1.11_var_log_partition.sh
	renamed:    2.8_var_log_audit_partition.sh -> 1.1.12_var_log_audit_partition.sh
	renamed:    2.9_home_partition.sh -> 1.1.13_home_partition.sh
	renamed:    2.10_home_nodev.sh -> 1.1.14_home_nodev.sh
	renamed:    2.14_run_shm_nodev.sh -> 1.1.15_run_shm_nodev.sh
	renamed:    2.15_run_shm_nosuid.sh -> 1.1.16_run_shm_nosuid.sh
	renamed:    2.16_run_shm_noexec.sh -> 1.1.17_run_shm_noexec.sh
	renamed:    2.11_removable_device_nodev.sh -> 1.1.18_removable_device_nodev.sh
	renamed:    2.13_removable_device_nosuid.sh -> 1.1.19_removable_device_nosuid.sh
	renamed:    2.12_removable_device_noexec.sh -> 1.1.20_removable_device_noexec.sh
	renamed:    2.17_sticky_bit_world_writable_folder.sh -> 1.1.21_sticky_bit_world_writable_folder.sh
	renamed:    2.25_disable_automounting.sh -> 1.1.22_disable_automounting.sh
	renamed:    2.1_tmp_partition.sh -> 1.1.2_tmp_partition.sh
	renamed:    2.2_tmp_nodev.sh -> 1.1.3_tmp_nodev.sh
	renamed:    2.3_tmp_nosuid.sh -> 1.1.4_tmp_nosuid.sh
	renamed:    2.4_tmp_noexec.sh -> 1.1.5_tmp_noexec.sh
	renamed:    2.5_var_partition.sh -> 1.1.6_var_partition.sh
	renamed:    1.1_install_updates.sh -> 1.8_install_updates.sh
2019-08-27 15:30:47 +02:00
Thibault Ayanides
88e3a515ef 5.2.17_sshd_login_grace_time 2020-10-05 17:26:13 +02:00
Thibault Ayanides
55c1cdbdde 5.2.3_ssh_host_public_keys_perm_ownership 2020-10-05 17:05:47 +02:00
Thibault Ayanides
6f5d714b55 5.2.2_ssh_host_private_keys_perm_ownership 2020-10-05 17:05:26 +02:00
Thibault Ayanides
d6e5803252 4.2.4_logs_permissions 2020-10-05 13:17:44 +02:00
Thibault Ayanides
922f28c200 4.2.3_install_syslog-ng 2020-09-30 17:03:10 +02:00
Charles Herlin
5a1a70bbd3 FIX(test/10.2): backup and restore /etc/passwd after test 2019-08-28 12:30:13 +02:00
Charles Herlin
a4969e6ba6 IMP(99.3.1): improve check with disabled passwords 2019-08-28 11:49:01 +02:00
Charles Herlin
96f3b74334 FIX(10.2): improve test to check multiple login shells
fix IFS bug
add test
2019-08-28 11:47:49 +02:00
Charles Herlin
1ec77dbb56 FIX(13.15): fix code that did not show duplicated group
Add tests
Apply shellcheck recommendations
2019-03-28 17:51:02 +01:00
Charles Herlin
8f87d75293 FIX(99.5.4): fix regex to allow other authkey options than "from" 2019-03-15 18:17:48 +01:00
Charles Herlin
02673826a0 FIX(8.2.x): fix grep and find in audit scripts 2019-03-18 16:19:05 +01:00
Charles Herlin
be1ad3e581 IMP(99.5.4): add conf to check only listed users 2019-03-05 10:49:45 +01:00
Charles Herlin
9ada868f43 IMP(8.2.4): add exceptions in check and apply
Apply shellcheck recommendations
2019-03-01 12:12:42 +01:00
Charles Herlin
41ccd5655a CHORE(test 8.2.5): removed useless cleanup line 2019-02-26 15:19:05 +01:00
Charles Herlin
e46a85dc6c FIX(9.3.2): dismiss test for initial after e7d9977
LogLevel not consistent at install time between debian versions
Easier to dismiss this check's result at the first step
2019-02-26 15:16:06 +01:00
Charles Herlin
1caf0f489a FIX(12.1x): fix tests exception for mail after da6acb0b
Installing syslog-ng in Dockerfile added some suid/sgid binaries that
needed to be treated as exception in test scenarii
2019-02-26 15:08:21 +01:00
Charles Herlin
de7dfe5956 CHORE(2.1x): use "readlink -e" instead of custom func
Removed get_partition_from_symlink()
2019-02-26 15:06:51 +01:00
Charles Herlin
8031c388c6 IMP(9.3.2): Comply with Debian9 guide: verbose ssh loglevel 2019-02-25 15:16:02 +01:00
Charles Herlin
f7f2f614aa IMP(9.3.2): Add custom configuration management
Add create_config to allow user to customize their conf

Improve tests
Apply shellcheck recommendations
2019-02-22 15:40:01 +01:00
Charles Herlin
605a768fe1 IMP(13.13): Add exceptions for home directories not owned by owner
Fill tests

Apply shellcheck recommendations
2019-02-22 15:22:58 +01:00
Charles Herlin
80a1146af7 IMP(8.2.5): find multiline pattern in files (syslog)
Add func to find pattern in file that spreads over multiple lines
The func will remove commented lines (that begin with '#')
and consider the file as one long line.
Thus, this is not possible to look for pattern at beginning of line
with this func ('^' and '$')

Improved pattern in 8.2.5

Add syslog-ng to installed dependencies in Dockerfiles

Fixed multifile arguments when looking for pattern that got broken
in d2bbf754 due to "nocase" and _does_pattern_exist_in_file wrapper
Please note that you can only look for pattern in ONE FILE at once
Fixed 8.2.5 and 8.3.2 with for loop on files and 'FOUND' flag
You now need to specify each and every file to look for or embed a
'find' command as follow :
`FILES="$SYSLOG_BASEDIR/syslog-ng.conf $(find $SYSLOG_BASEDIR/conf.d/)"`

Improved test files
Applied shellcheck recommendations
2019-02-22 12:39:41 +01:00
Charles Herlin
7408216957 IMP(2.1x): Retrieve actual partition when symlink
Add function to retrieve actual partition from symlink in lib/utils.sh
Using this func in all 3 audit scripts

Improved tests to test this func

Apply shellcheck recommendations
Trim trailing spaces
2019-02-22 12:22:14 +01:00
Charles Herlin
ac76942ca7 CHORE(tests): cleanup test files 2019-02-18 18:08:19 +01:00
Charles Herlin
cf42666833 FIX(tests): change sed in conf file disabled->audit following d6172ad
In test cases, changed in sed command "disabled" to "audit" to enable
apply part, following this commit
d6172ad Change default status disabled -> audit when no conf file

 5f28036 - Change default status to audit for file with custom
  `create_config` (Charles Herlin Thu Feb 14 14:33:21 2019 +0100)
2019-02-15 17:42:17 +01:00
Charles Herlin
6cbe8f572f CHORE(tests): Cleanup test files 2019-02-18 18:10:22 +01:00
Charles Herlin
982301d395 FIX(tests): improve test cases and cleanup 2019-02-18 17:25:04 +01:00
Charles Herlin
d18f5edfba FIX(99.2): add missing $SUDO_CMD 2019-02-15 16:56:54 +01:00
Charles Herlin
6afed4eedb Add test stub for all audit checks, to tests root/sudo consistency 2019-02-14 18:10:46 +01:00
Charles Herlin
bad32f8078 Rename dismiss_test to skip_tests since test won't even run in this case 2019-02-14 17:52:45 +01:00
Charles Herlin
1586dae0c5 Improve user management in test cases 2019-02-14 11:15:51 +01:00
Charles Herlin
1281860401 IMP: enhance scripts that check duplicate UID
Add exception handling in 13.14_check_duplicate_uid
Clarifies output message and explicitly displays found exceptions
Add tests
Apply shellcheck recommendation

modified:   bin/hardening/13.14_check_duplicate_uid.sh
modified:   bin/hardening/13.5_find_0_uid_non_root_account.sh
new file:   tests/hardening/13.14_check_duplicate_uid.sh
new file:   tests/hardening/13.5_find_0_uid_non_root_account.sh
2019-02-13 16:07:06 +01:00
Charles Herlin
810fee4c8f Migrate generic checks from secaudit to cis-hardening
new file:   99.3.1_acc_shadow_sha512.sh
new file:   99.3.2_acc_sudoers_no_all.sh
new file:   99.4_net_fw_default_policy_drop.sh
new file:   99.5.1_ssh_auth_pubk_only.sh
new file:   99.5.2.1_ssh_cry_kex.sh
new file:   99.5.2.2_ssh_cry_mac.sh
new file:   99.5.2.3_ssh_cry_rekey.sh
new file:   99.5.3_ssh_disable_features.sh
new file:   99.5.4_ssh_keys_from.sh
new file:   99.5.5_ssh_strict_modes.sh
new file:   99.5.6_ssh_sys_accept_env.sh
new file:   99.5.7_ssh_sys_no_legacy.sh
new file:   99.5.8_ssh_sys_sandbox.sh
new file:   99.5.9_ssh_log_level.sh

Fix descriptions in comment section for 99.* secaudit checks

Remove duplicated legacy services that are already taken care of by vanilla cis

Enable custom configuration of checks in config-file, no more hard coded conf
Add test to disable check if debian version is too old
Add excused IPs while checking "from" field of authorized_keys
Escaping dots in IPs
Manage Kex for different debian versions
Add tests for generic checks and add apply for ssh config
Apply shellcheck recommendations on audit/hardening scripts
Update script to check for allowed IPs only, remove bastion related
Fill `apply` func for ssh config related scripts
Add and update tests scenarii

Disable shellcheck test for external source 1091

As of today, the entire project is not shellcheck compliant, I prefer
disabling the test that warns about not finding external source (that
arent compliant). I will enable it again when the project library will
be shellchecked
https://github.com/koalaman/shellcheck/wiki/SC1091

Refactor password policy check with one check by feature

Previous file will now only look for bad passwords in /etc/shadow
I added two checks that look for the compliant configuration lines in
conf files /etc/logins.defs and /etc/pam.d/common-passwords

FIX: merge chained sed and fix regex

FIX: update regex to capture more output
FIX: fix pattern to ignore commented lines, add apply

Also add tests to ensure that commented lines are not detected as valid
configuration

CHORE: cleanup test situation with file and users removal
IMP: add case insensitive option when looking for patterns in files
CHORE: removed duplicated line in test file
2017-12-20 15:14:30 +01:00
Charles Herlin
e8ae07c2e8 IMP: new tag in file to tell that the script should pass shellcheck
The `# run-shellchek` tag must be placed in the first 10 lines of the
file
2019-01-24 11:11:08 +01:00
Charles Herlin
863adc9c84 IMP(test): Add feature to run functional tests in docker instance
Add usecase in basename
Add test files for checks with find command
Always show logs
FIX: run void script to generate config and avoid sed failure
Update README with functional test description
Add skeleton for functional test
Add argument to launch only specific test suite
Add support for debian8 and compulsory mention of debian version at
launch
Improve README
Simplify test file syntax to avoid copy/paste mistake
Add script that runs tests on all debian targets
Improve run_all_target script with nowait and nodel options
Add dockerfile for Buster pre-version
Chore: Use getopt for options and reviewed code by shellcheck
Add trap to ensure cleanup on exit/interrupt
Remove quotes that lead to `less` misinterpretation of the filenames
Set `local` for variables inside `test_audit` func
Move functional assertion functions to dedicated file
Add cleanup for logs and containers
Improve cleanup, and now exits
Apply shellcheck recommendations
FIX: allow script to be run from anywhere (dirname $0)

 Changes to be committed:
	modified:   README.md
	new file:   src/skel.test
	new file:   tests/docker/Dockerfile.debian10_20181226
	new file:   tests/docker/Dockerfile.debian8
	new file:   tests/docker/Dockerfile.debian9
	new file:   tests/docker_build_and_run_tests.sh
	new file:   tests/hardening/12.10_find_suid_files.sh
	new file:   tests/hardening/12.11_find_sgid_files.sh
	new file:   tests/hardening/12.7_find_world_writable_file.sh
	new file:   tests/hardening/12.8_find_unowned_files.sh
	new file:   tests/hardening/12.9_find_ungrouped_files.sh
	new file:   tests/hardening/2.17_sticky_bit_world_writable_folder.sh
	new file:   tests/launch_tests.sh
	new file:   tests/lib.sh
	new file:   tests/run_all_targets.sh
2018-12-24 14:12:59 +01:00